Ok well here is my story: Me and my friend set up a seemingly inpenetrable computer to test if we could gain access to its administrative account and extra features, ect. Our setup was one that a business would use to keep their employees from hacking their computers while also effectively preventing them from infecting thier PCs with malware. As far as we can say it works.... almost too good. This is a windows 7 32bit computer and here's what we did.

- Reset everything to factory.- Made a completely random admin account with a LOt of letters and numbers in name and pass to prevent cracking.- In regedit made a group policy put the hacking account in it and prevented any executable file type from running except those already available. - Denied access to the C drive basicly you can look not edit it.- You have no access to regedit, device manager, or anything of that sort.- Random bios password.- No access to SYSTEM account.- God Mode is still possible.

So basicly its the same as a limited account without the ability to run executable file types. Which we soon learned was going to be our biggest problem. Soon we decided to switch to java as our soulution and that didnt work becuase java applications simply havnt gone far enough to help in such a terrible situation. So next we decided to look at viruses that would do they job for us. Most all viruses need to be laucned for the first time by executing them which was the problem becuase they cant do that because of the restriction policy. After 5 days we gave up now I have been seeking help online because we cant do this alone we dont have the hacking skills. I would consider this to be an ultimate test for any hacker ethical or otherwise so anyone that can defeat this is truely amazing. Oh yea and remember that we want to attack this computer without the help of any outside source, like another computer or taking the hard drive out, and hacking it with another computer.

Last edited by Arguntom on Sun Dec 12, 2010 10:40 pm, edited 1 time in total.

Well taking the HD out is the easiest route since the data may or "probably not" be encrypted. Since that is not an option and you are using Windows, I would suggest that you look at several of the Microsoft Security Bulletins as they may point you at a flaw in one of the executables already on the system like with Word or Excel. One question though, can the user save files or make use of a USB drive or other peripheral? I ask only because you say the C: drive is locked down and they cannot write to it. Is the system boot password protected or just the BIOS? Can the 1st boot device be changed? What is the boot order?

I don't mean my commentary to be nothing more than constructive criticism

- Made a completely random admin account with a LOt of letters and numbers in name and pass to prevent cracking.

This means absolutely nothiing nothing. As the saying goes, "Why Crack When You Can Pass the Hash?" (http://www.sans.org/reading_room/whitep ... hash_33219) Furthermore, at some point in time, you're going to have to either write down that password or store it somewhere. What will you do in the event that you lose it?

- In regedit made a group policy put the hacking account in it and prevented any executable file type from running except those already available.

I created a monster ini file to go and lock down machines from copying and pasting, printscreen, sharing, you name it, there was no way in hell someone could leverage anything on the network. Guess what? Once managers were unable to perform necessary functions, it became counterproductive. The approach I took was wrong.

You seriously need to perform a risk assessment to determine what needs protecting and why. You do this so you don't waste time and resources on unnecessary things. Once you understand WHAT needs protection, then you need to determine WHO you need to protect it from.

Your house needs protection from the possibility of a burgular. Do you a) spend money on every single entrypoint or b) determine what can he possibly get into? If you said a) then you'd waste money buying gates for all of your windows, triple locks on every single door, guard dogs around the perimeter and so on. Had you said b), you could stop and think for a moment... "I'll save the money on uber locks, doors and dogs, get a good lock for the front and back and get an alarm system. Besides, if I have 3 locks on each door, what happens if there is a fire, am I trapping myself in here."

Security is comprised of processes and procedures whether we as techies like it or not. Begin with a real world plan. The theory that you submitted won't fly.

Sgt_mjc external drives are useable but booting into another OS such as linux to copy the sam file isnt possible, I dunno why and we tried it already but duel booting and other booting methods (even booting from a cd) is not possible. I think I am just going to purge the hard drive and reinstall windows it seems like the only choice.

And sil I understand what point you are trying to get accross, but that doesn't help my situation at all, thanks anyways.

For locking down the system in a meaningful way after doing a risk analysis, you could also look at the guides published by DISA at http://iase.disa.mil/stigs/stig/index.html. These are a little more current that what is published at the NSA site. The key though, is to determine what you have that needs protected and how much protection does it need. Sil's analogy of a house is great and spot on. Hang in there. We all made mistakes when we started.

In fact, just about anything the Peltier writes is worth having. Security metrics is a must have book for security numbers management however, if you're into the IT (technology) then it will outright bore you to death. If you HAVE to or like to (don't know why), if you like to deal with security management, its worth having to aide you in coming up with decent, reasonable security metrics (math).

From my perspective, there is ONLY OBJECTIVE points of view, NEVER CAN IT BE SUBJECTIVE DO NOT BE FOOLED; OBJECTIVE POV's when it comes to security management/risk metrics. That of the AV * EF = (*cough*bull*cough) SLE

Fuzzy math. Here is the breakdown, followed by my bastardization of the breakdown:

* AV = Asset Value (Expressed in dollars)(http://en.wikipedia.org/wiki/Asset) Try understanding how to define an asset when your infrastructure is in the cloud will you. What shall you say is your asset value then, the cost of the cloud computing service you're paying for.

* EF = Exposure factor (Expressed as a percentage of the asset value)See above. What shall you do when you're cloud provider doesn't allow you to perform a vulnerability OR penetration test against your virtualized instance. You could NEVER get a concrete number on this.

* SLE = Single Loss Expectancy (It can be defined as the monetary value expected from the occurrence of a risk on an asset.)But if you're not allowed to perform proper Risk Assessments on what will you be basing your number?

* ALE = Annual Loss ExpectancyYawn

* ARO = Annual Rate of Occurrence (Number of exposures or incidents that could be expected per year)Yawn...

So my example is as follows... I have an Amazon EC3 host which provides email service. This generates for me approximately 10,000.00 per year. The total cost for me to have this EC3 instance is $25.00 per month (300.00 per year). It cost me a one time charge of 100.00 to configure and a recurring 10.00 per month to maintain. So far I am spending $420.00 per year. I'll set my asset value at $500.00 to be fair. EC3 is not a tangible asset and can be replaced at the whopping cost of 120.00. There are other fees associated with the setup I could throw in the mix. Cost of salary associated with the programmers and developers who'd have to do the work and so on. In a nutshell, fuzzy math, it's whatever I want it to be (OBJECTIVE) even though I can use SUBJECTIVE numbers (25.00 * 12)

AV = 120.00EF = 10% (because its Amazon, they WON'T let me pentest in a multitenant cloud... I don't and WON'T have real security metrics)SLE = 1,200.00ARO = How humorous is that... ARO. "Gee, I'm hoping to not get owned 2x this year. But because its Amazon and out of my control, I can't outright fix things, 2x per year I expect this happening" So my ARO is 2,400.00

Would it be save to say that I should spend $240.00 to protect myself? $240.00 to protect myself... I'm making 10,000.00 per year from this venture. Anyhow, risk management metrics is an art, not a proven science. While there are some measurables to be obtained from risk management, the fact is as quoted in the past: "There are lies, damned lies and statistics"

AV * EF = SLE is flawed for technology from my POV because there are too many variables to throw into the equation:

From OWASP:

AV x EF = SLE

If our Asset Value is $1000 and our Exposure Factor (% of loss a realized threat could have on an asset) is 25% then we come out with the following figures:

$1000 x 25% = $250

So, our SLE is $250 per incident. To extrapolate that over a year we can apply another formula:

SLE x ARO = ALE (Annualized Loss Expectancy)

The ALE is the possibility of a specific threat taking place within a one-year time frame. You can define your own range, but for convenience sake let's say that the range is from 0.0 (never) to 1.0 (always). Working on this scale an ARO of 0.1 would indicate that the ARO value is once every ten years. So, going back to our formula, we have the following inputs:

SLE ($250) x ARO (0.1) = $25 (ALE)

Therefore, the cost to us on this particular asset per annum is $25. The benefits to us are obvious, we now have a tangible (or at the very least semi-tangible) cost to associate with protecting the asset. To protect the asset, we can put a safeguard in place up to the cost of $25 / annum.

How do you calculate these risks/threats. You don't. That is, according to the rules of the game you don't: You can define your own range, So what is the value of these metrics at the end of the day when you CAN'T truly calculate risk. All you can do is offer qualitative metrics (but that is an altogether 'nother story (Qualitative versus Quantitative) http://wilderdom.com/research/Qualitati ... earch.html)

I'm assuming here that your goal is recovering the machine, based on the implied urgency of your post? Can you be more clear on what you are trying to achieve?

I have to agree that you're not looking at all of your options, some of it is really simple.

Depending on what kind of motherboard it is (I'm assuming it's a tower), there may be a jumper to reset the BIOS password, or a way to use the error code returned for a wrong password attempt as a hash to recover the BIOS password.

Then the OS, like sgt_mjc said, you can physically remove the hard drive and attach it to another machine. From there, (I'm not sure how well this works with Windows 7) you may be able to use a tool like chntpw to reset a user's password (someone with admin privileges) to whatever you want it to be.

I've never been really good with privilege escalation if you already have credentials for another user, but there are probably lots of methods.

I also agree with what sil said, in that you really have to measure how much security is necessary for the data you have, and the people in control of it. I've seen some small company networks where the bosses get their way with IT policies, to the point where they were too bothered by a 90 password expiration policy that they decided to have it cancelled.You can have the greatest policies in the world, but if someone still leaves their password written on a sticky note in their desk, it doesn't mean anything.

If your goal is simply answers on how to break into it, then there are plenty of resources available to expand your knowledge of computer security. This is a great site for that!

A vulnerability scan is a good start but can give you an incomplete picture. If you look at it from a Risk perspective, there is more you need to look at. A vulnerability scan like that performed by Nessus, will give network facing vulnerabilities like FTP server listening. It will not tell you necessarily if the system is vulnerable to a local privilege escalation. For that you need other tools or methods. You also need to look at the configuration of the network, disaster plans, user agreements, etc. The list goes on. In the Federal space, they are migrating to NIST SP800-37 Guide for Applying the Risk Management Framework to Federal Information Systems and using NIST SP800-53a Guide for Assessing the Security Controls in Federal Information Systems and Organizations. This process is very similar to the DoD process call DIACAP. Both are risk management activities designed to minimize risks to C-I-A (Confidentiality, Integrity, Availability). They take in the whole picture, nut just a vulnerability scan.

crossover wrote:One more question I have done security assessment basically all I do is Vulnerability Scanning is that what general industry practise ?? or should i be doing more steps..anything i refer and Learn.

Hello,

Vulnerability scanning is only one "technical" part of the risk assesment process. The "business" part is equally important.

One method (not the best) to approacjh Risk Assesment is:

RISK = THREAT + WAY OF ATTACK + VULNERABILITIE + ASSET + IMPACT

These 5 components have to be estimate into the organization specific context with the approval of the business.

Once this estimate is done, business, and only business, have to evaluate the risk and then decide to keep, avoid, reduce or transfer the risk.

You're only here to estimate the risk. Executives and business people are here to evaluate it and decide the way to treat it

At this point, it is possible to determine necessary and sufficient security objectives and requirements.

This approach is called "EBIOS" and is promoted by the DCSSI and recognized by the French administrations and, accordiang to me, has a some good pedagogic virtues